Open source developer destroys widely used libraries, affecting tons of projects

One developer seems to have corrupted a couple of open source libraries on GitHub and the npm software registry – “faker.js” and “colors.js” – that thousands of users depend on, making any project containing those libraries useless , as reported by Bleeding computer. Although it seems that color.js has been updated to a working version, it still appears that faker.js is affected, but the issue can be resolved by downgrading to an earlier version (5.5.3).

Bleeding computer found that the developer of these two libraries, Marak Squires, introduced a malicious commit (a file revision on GitHub) to colors.js that adds “a new US flag module”[ads1];, as well as rolled out version 6.6.6 of faker.js, which triggers the same destructive course of events. The sabotaged versions cause applications to print strange letters and symbols indefinitely, starting with three lines of text that read “LIBERTY LIBERTY LIBERTY”.

Even more curiously, the faker.js Readme file has also been changed to “What really happened to Aaron Swartz?” Swartz was a prominent developer who helped establish Creative Commons, RSS and Reddit. In 2011, Swartz was charged with stealing documents from the JSTOR academic database for the purpose of making them free to access, and later committed suicide in 2013. Squires’ mention of Swartz could potentially refer to conspiracy theories surrounding his death.

As pointed out by Bleeding computer, a number of users – including some who work with Amazon’s Cloud Development Kit – approached GitHub’s debugging system to express concern about the issue. And since faker.js sees almost 2.5 million weekly downloads at npm, and color.js receives around 22.4 million downloads per week, the effects of corruption are likely to be far-reaching. For context, faker.js generates fake data for demos, color.js adds colors to javascript consoles.

In response to the issue, Squires posted an update on GitHub to resolve the “zalgo issue”, which refers to the incorrect text produced by the corrupt files. “It has come to our attention that there is a zalgo error in the v1.4.44-liberty-2 release of colors,” Squires writes in a presumably sarcastic manner. “Please note that we are working right now to fix the situation and will have a solution soon.”

Two days after pushing the corrupt update to faker.js, Squires later tweeted that he was suspended from GitHub, despite saving hundreds of projects on the site. However, from the change log on both faker.js and colors.js, it appears that his suspension has already been lifted. Squires introduced the faker.js commit on January 4, was banned on January 6, and did not introduce the “liberty” version of colors.js until January 7. It is unclear whether Squires’ account has been banned again. The Verge contacted GitHub with a request for comment, but did not respond immediately.

However, the story does not end there. Bleeding computer dug up one of Squire’s posts on GitHub from November 2020, in which he declares that he no longer wants to do free work. “Respectfully, I will no longer support the Fortune 500s (and other smaller companies) with my free work,” he says. “Take this as an opportunity to send me a six-digit annual contract or split the project and get someone else to work on it.”

Squires’ bold move draws attention to the moral – and economic – dilemma of open source development, which was probably the goal of his actions. A huge number of websites, software and apps rely on open source developers to create essential tools and components – for free. It’s the same problem that results in unpaid developers working tirelessly to fix the vulnerabilities in their open source software, like the Heartbleed scare in 2014 that affected OpenSSL and the newer Log4Shell vulnerability found in log4j that made volunteers try to fix.

Source link

Back to top button